TRENDING

HHS prescribes 11 basic steps for securing mobile devices

By Kathleen Hickey

Dec 17, 2012

The Health and Human Services Department, acknowledging the privacy risks when dealing with health information, has released several online resources to help health care providers protect patient privacy when using mobile devices such as smart phones, tablets and laptop PCs. The tools include videos, fact sheets and posters to educate health care professionals on how to best safeguard patient health information.

While mobile devices hold promise in improving health care, “it’s important that these tools are used correctly,” said Joy Pritts, chief privacy officer for HHS’ Office of the National Coordinator for Health Information Technology. “Health care providers, administrators and their staffs must create a culture of privacy and security across their organizations to ensure the privacy and security of their patients’ protected health information.”

According to a recent Ponemon Institute survey, negligence is the main reason for patient privacy and data breaches, with the primary cause being lost or stolen computing devices (46 percent), most of which were mobile devices. On average, 51 percent of employees are bringing their own devices to health care facilities. Ninety-four percent of the health care organizations surveyed reported a data breach in the past two years.

Other common mobile device risks include using an unsecure Wi-Fi network; inadvertently downloading viruses or other malware; and unintentional disclosure to unauthorized users when sharing mobile devices with friends, family and/or coworkers.

HHS recommends several policy approaches to managing mobile devices, along with 11 specific steps organizations can take, and which would apply to any public-sector agency that deals with sensitive information.

1. Use a password or other user authenticationConfigure mobile devices to require passwords, personal identification numbers or passcodes for access, and set the devices to lock their screens after a set period of device inactivity.

3. Install and activate remote wiping and/or remote disablingUse remote wiping to permanently erase data on a device that has been lost or stolen. Remote disabling can lock data, making the device usable if it is recovered.

4. Avoid file-sharing applicationsDisable file-sharing apps that are on a device, and do not install any new ones. File-sharing software enables collaboration and the trading of files but also provides a way for unauthorized users to access mobile devices.

5. Install and enable a firewallUse a personal firewall on individual devices that will detect attempts to connect and will allow or block connection based on pre-set rules.

8. Research mobile apps before downloadingOnly install and use apps from known, reputable providers and verify that an app performs only the functions it should.

9. Maintain physical controlKeep mobile devices in locked drawers if they are not being carried by the user. Device screens should be locked, and users should not share devices.

10. Be careful with public Wi-Fi networksDo not send or receive health information via a public Wi-Fi network unless it has secure, encrypted connections.

11. Delete all stored health information before discarding or reusing the mobile deviceFollow HHS guidance to remove health information and other sensitive data before throwing out or reusing a mobile device.

HHS also recommends making devices undiscoverable by Bluetooth, not sharing devices and registering the device with your organization.

HHS isn’t the only agency offering advice on the issue. In October, the National Institute of Standards and Technology released draft security guidelines for mobile devices.